tracerpt.exe
- File Path:
C:\Windows\system32\tracerpt.exe - Description: Event Trace Report Tool
Hashes
| Type | Hash |
|---|---|
| MD5 | B28148E4DC7BD3E63DC0162EBC33685C |
| SHA1 | FDE2AB2CFBA3D62C79B74D214C4AC9BB31BCD2B6 |
| SHA256 | 2ECE870892BB1C19AE933A5411560D1FE4EB51DD6B6B510F82B05F2B1BA49851 |
| SHA384 | 6ADEB283DC134165C6786FE590E4422906CCCCE4E5CE2F7B808CDB362BA481206C9B6994DB64AEC1719AEC0F71E2021B |
| SHA512 | F2375BBECED332E1C9FBDBBD24285FE83DD1CC207CF9BF2F17E378577202D242E8D38772ED260D339B70FAF6A1C8FC2C975C6DB0E06792519ECB7FD94A636746 |
| SSDEEP | 6144:Jwtn9ITcMqHx2kPlatC20/H272230KIR2lpt8fWoF5iyOW/TqxUB:+9ITCHx2k9/UUF54k |
| IMP | 46E5DA1ED3EC55407D760ABB247DEF1C |
| PESHA1 | E6BB607BC46334D0783E41DBDBE9580100C3499F |
| PE256 | 0709D6D02C89AC07E7AA57E3EA8F8FB12921EBFE1048C9165C7479D5BAD9A877 |
Runtime Data
Usage (stdout):
Microsoft r TraceRpt.Exe (10.0.19041.546)
Usage:
C:\Windows\system32\tracerpt.exe <[-l] <value [value [...]]>|-rt <session_name [session_name [...]]>> [options]
Options:
-? Displays context sensitive help.
-config <filename> Settings file containing command options.
-y Answer yes to all questions without prompting.
-f <XML|HTML> Report format.
-of <CSV|EVTX|XML> Dump format, the default is XML.
-en <ANSI|Unicode> Output file encoding. Only allowed with CSV
output format.
-df <filename> Microsoft specific counting/reporting schema
file.
-import <filename [filename [...]]> Event Schema import file.
-int <filename> Dump interpreted event structure into
specified file.
-rts Report raw timestamp in event trace header.
Can only be used with -o, not -report or
-summary.
-tmf <filename> Trace Message Format definition file
-tp <value> TMF file search path. Multiple paths can be
used, separated with ';'.
-i <value> Specifies the provider image path. The
matching PDB will be located in the Symbol
Server. Multiple paths can be used, separated
with ';'.
-pdb <value> Specifies the symbol server path. Multiple
paths can be used, separated with ';'.
-gmt Convert WPP payload timestamps to GMT time
-rl <value> System Report Level from 1 to 5, the default
value is 1.
-summary [filename] Summary report text file. Default is
summary.txt.
-o [filename] Text output file. Default is dumpfile.xml.
-report [filename] Text output report file. Default is
workload.xml.
-lr Less restrictive; use best effort for events
not matching event schema.
-export [filename] Event Schema export file. Default is
schema.man.
[-l] <value [value [...]]> Event Trace log file to process.
-rt <session_name [session_name [...]]> Real-time Event Trace Session data
source.
Examples:
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report logrpt.xml
tracerpt logfile1.etl logfile2.etl -o -report
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
tracerpt -rt "NT Kernel Logger" -o logfile.csv -of CSV
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\system32\tracerpt.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: TraceRpt.Exe.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/2ece870892bb1c19ae933a5411560d1fe4eb51dd6b6b510f82b05f2b1ba49851/detection
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
tracerpt
The tracerpt command parses Event Trace Logs, log files generated by Performance Monitor, and real-time Event Trace providers. It also generates dump files, report files, and report schemas.
Syntax
tracerpt <[-l] <value [value [...]]>|-rt <session_name [session_name [...]]>> [options]
Parameters
| Parameters | Description |
|---|---|
-config <filename> |
Specifies which settings file to load, which includes your command options. |
| -y | Specifies to answer yes to all questions, without prompting. |
-f <XML | HTML> |
Specifies the report file format. |
-of <CSV | EVTX | XML> |
Specifies the dump file format. The default is *XML. |
-df <filename> |
Specifies to create a Microsoft-specific counting/reporting schema file. |
-int <filename> |
Specifies to dump the interpreted event structure to the specified file. |
| -rts | Specifies to add the report raw timestamp in the event trace header. Can only be used with -o. It’s not supported with -report or -summary. |
-tmf <filename> |
Specifies which Trace Message Format definition file to use. |
-tp <value> |
Specifies the TMF file search path. Multiple paths may be used, separated by a semicolon (;). |
-i <value> |
Specifies the provider image path. The matching PDB will be located in the Symbol Server. Multiple paths can be used, separated by a semicolon (;). |
-pdb <value> |
Specifies the symbol server path. Multiple paths can be used, separated by a semicolon (;). |
| -gmt | Specifies to convert WPP payload timestamps to Greenwich Mean Time. |
-rl <value> |
Specifies the System Report Level from 1 to 5. Default is 1. |
| -summary [filename] | Specifies to create a summary report text file. The filename, if not specified, is summary.txt. |
| -o [filename] | Specifies to create a text output file. The filename, if not specified, is dumpfile.xml. |
| -report [filename] | Specifies to create a text output report file. The filename, if not specified, is workload.xml. |
| -lr | Specifies to be less restrictive. This uses best efforts for events that don’t match the events schema. |
| -export [filename] | Specifies to create an Event Schema export file. The filename, if not specified, is schema.man. |
[-l] <value [value […]]> |
Specifies the Event Trace log file to process. |
-rt <session_name [session_name […]]> |
Specifies the Real-time Event Trace Session data sources. |
| -? | Displays help at the command prompt. |
Examples
To create a report based on the two event logs logfile1.etl and logfile2.etl, and to create the dump file logdump.xml in XML format, type:
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
To create a report based on the event log logfile.etl, to create the dump file logdmp.xml in XML format, to use best efforts to identify events not in the schema, and to produce a summary report file logdump.txt and a report file, logrpt.xml, type:
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report logrpt.xml
To use the two event logs logfile1.etl and logfile2.etl to produce a dump file, and to report file with the default filenames, type:
tracerpt logfile1.etl logfile2.etl -o -report
To use the event log logfile.etl and the performance log counterfile.blg to produce the report file logrpt.xml and the Microsoft-specific XML schema file schema.xml, type:
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
To read the real-time Event Trace Session NT Kernel Logger and to produce the dump file logfile.csv in CSV format, type:
tracerpt -rt NT Kernel Logger -o logfile.csv -of CSV
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.